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NRS AUDIT AND RISK COMMITTEE MEETING 
13 December 2018 
Lord Clerk Register’s Room 
General Register House, Edinburgh 


Present: 

Colin Ledlie Non-Executive Director (Chair) 

Mandy Gallacher Non-Executive Director 

Asif Haseeb Audit Scotland, External Auditor 

Jonny Steen Audit Scotland, External Auditor 

Myra Binnie Scottish Government, Internal Auditor 

Lorraine Twyford Scottish Government, Internal Auditor 

Anne Slater NRS, acting Chief Executive 

Linda Sinclair NRS, Director of Strategy & Business Services (Accountable 


Officer) 
Steven Hanlon NRS, Chief Financial Officer 
Anna Krakowska NRS Head of Strategy & Planning 
Shirley Cameron NRS Governance Administration (secretariat) 


Apologies: 
Bill Matthews Non-Executive Director 


1. Welcome, Introductions and Declaration of Interests 


1.1 Apologies were received and accepted from Bill Matthews. There were no 
new declarations of interest. 


2. Matters arising 

2.1 There were no matters arising. 

3. Minutes and Actions 

3.1 The minutes of 3 September were accepted without change. 
3.2 All actions were closed as completed. 

4. NRS Update Report 


4.1 Anne Slater (AS) confirmed that Paul Lowe, currently CEO of Students Awards 
Agency Scotland would join NRS on 17 December as NRS Chief Executive. 


4.2 Recruitment to posts approved within the revised organisational structure had 
continued throughout 2018. A pause for approval of recruitment to any new posts 
would allow time to reflect on prioritisation of posts in relation to the NRS future budget 
position. 

4.3 Census 2021 funding continues to be discussed with SG and Ministers. 
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4.4 2018 People Survey indicated the overall response rate was down by 4%. 


4.5 — A Common Operating Platform programme would deliver consolidation around 
networks for NRS. 


4.6 Adam Dome was currently closed to staff and public to allow a survey on the 
ceiling condition to progress. Public Services continue to be delivered without impact. 


5. NRS Governance Report: Risk Management and Internal Controls 


5.1 Anna Krakowska (AK) presented the Governance Report for the year to date 
for the committee’s review and comment. 


5.2 A refresh of the corporate risk register was reported, introducing a consistent 
approach to presentation of risks as well as reporting the proposal for delegation of 
control to the appropriate Governance Boards. 


5.3 The Committee welcomed the refreshed report and expression of risks in 
certain areas. They were content with the approach providing this continued to drive 
control action. 


6. NRS People Risk - Deep Dive 


6.1 Linda Sinclair (LS) delivered a presentation to the Committee setting out the 
current position in relation to risks and activity impacting on the people in the 
organisation in the context of: 


e Risks recorded: 

1. NRS 2: If we fail to identify and implement an effective workforce 
planning strategy then this will affect our ability to get the skilled 
resource, capability or knowledge we need for particular roles to deliver 
our priorities and delivery targets. 

2. NRS 11: If we don’t have the right people in the right places , with the 
required skills, capability and knowledge then we will not be able to 
deliver new IT services and/or support existing services which results in 
unrecoverable Service outages, regulatory and legal breaches, data loss 
and reputational damage. 

e People Survey 2018 results - recently published. 

e People Plan 2017 — progress 

e Implementation of new organisational structure and service priorities — varied 
resourcing approaches 

e Implementation of new Governance — monitoring and decisions. 

e Workforce Planning Review — terms of reference together with Internal Audit 
input. 

e Engagement — approaches and progress 
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6.2 |The committee noted and welcomed the amount of work in progress across the 
different streams. 


6.3 The committee were interested in the proposed staff engagement network and 
how that would contribute to better engagement. LS explained that a Terms of 
Reference was being developed for the network programme as well as considering 
other routes to widen engagement through line managers and improved 
communication channels across NRS, with a range of methods being considered. 


6.4 The committee were interested in skills development approaches. LS explained 
that budget would continue to fund learning and development across NRS with the 
focus to develop as an organisation and building the skills NRS requires. 


6.5 With regard to recruitment, the committee noted the progress in this area and 
discussed areas where the market for specialist skills could be a challenge and noted 
that key person risk, particularly relating to the Census programme was being 
considered. 


7. Finance Report 


7.1 Steven Hanlon (SH) updated the committee with a summary of the key points 
from the 2018-19 budget position, highlighting a forecast £261k underspend against 
the Spring Budget Revision (SBR) revenue budget position. 


7.2 SH indicated the key financial risks remain the same as reported at the 
committee meeting of September 2018 and would continue to be monitored in-year by 
EMB, these related to: 


Staff costs 

Census 2021 

Digital Preservation Programme 
IT Services 

Income 


7.3 The position on capital spending plans had become clearer since the last 
committee meeting, with a plan of activity identified as achievable by the end of the 
forecast year. The reported position of £200k unallocated funding for capital would be 
considered by EMB as part of the discussions on available funding. 


8. Performance Management 


8.1 Anne Slater provided the committee with an update on performance 
management approaches and key performance indicators. Draft ideas were also been 
created around corporate and operational health with the aim of settling these by 1 
April 2019 for the next reporting year. A report would come to a future ARC during 
2019. 


9. Governance Coordination 
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9.1 Linda Sinclair (LS) provided an update on how the committee can coordinate 
effectively with NRS Board with responsibility for risk management, control and 
governance. 


9.2 LS indicated that the governance structure as set out was being embedded at 
different rates of progress. Each board would have a defined role in the organisation, 
with Executive Management Board more established than the Customer and 
Operations Board (COB) or the Digital and Strategy Board (DSB). The priority into 
2019 is to: 


e Continue to establish the governance approach across NRS 
e Better understand the linkages between the boards 
e Establish forward work plan for EMB for 2019 


9.3 The Committee would have the opportunity to request a deep dive of activity 
from any of the Boards and with the potential to examine assurance activities in the 
organisation. 


New Action (A13/18): EMB forward work plan 2019 to be shared with ARC 
members. Action Owner: Secretariat 


9.4 In summary, the committee agreed to continuing the adopted approach of 
reporting through the Governance report which provided ARC members with 
assurance and confidence that appropriate information was being reported. Also 
closing off an action from the Audit and Risk Committee self-assessment checklist. 


10. Internal Audit interim progress report on active/follow-up audits 


10.1 Myra Binnie (MB) summarised the key messages from the report and updated 
the Committee on current activities as follows: 
e Scottish Government Internal Audit Directorate (SG IAD) remained on track to 
deliver the 2018-19 programme. 
e Lorraine Twyford had been appointed as the new Internal Audit Business 
Manager covering NRS. 
e SG IAD is looking to provide greater coverage of SG corporate systems 
during the remainder of 2018-19. 
e The planning process for 2019-20 had recently commenced. 


10.2 External auditors were also engaging with SG IAD to work together. 


New action (A14/18): Committee members to be added to SG IAD quarterly 
information bulletin. Action Owner: SG IAD Lorraine Twyford 


11. Audit Recommendation Status Report 
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11.1 Anna Krakowska informed the Committee that the IT Security Events and 
GDPR recommendation has now concluded, reducing the open recommendations 
from 18 to 16. External Audit would also include progress on the recommendations in 
their future report. 


11.2 The Committee noted the progress was being made to reduce the number of 
open actions and recognised the effort from management to conclude action on audit 
recommendations. The Committee were content that NRS were prioritising action for 
the remaining actions appropriately. 


12. Forward Look 

12.1 The Committee noted the content of the forward look and considered the 
timetabling of the ‘deep dive’ discussions at ARC. No further ‘deep dives’ topics were 
identified by the Committee at this point, although Change risk may be something to 
consider for discussion at a future meeting. 

13. Audit Scotland Report: EU Withdrawal 

13.1 The Committee noted the report which was tabled for information. 

14. Any Other Business 

14.1 Mandy Gallacher raised the fact that only two Committee members were 
present for the meeting and questioned the appropriateness of the current quorum. It 
was noted that there is an action for management to consider succession planning to 
ARC and that increasing the membership of the Committee should be a high priority. 


14.2 There was no other business arising. The next meeting is scheduled for 
Thursday 28 February 2019 Room 1/G/8, Ladywell House, Edinburgh. 


END 


